Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Alert: How do I delete when there is no Delete option on Edit/Menu?

altink
Builder
‎01-20-2021 06:34 AM

Hi

Cannot delete an Alert.
There is no Delete Option under Alert's Edit Menu.

Please advise how to delete.

best regards

Altin

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:48 AM

Is this alert created by you or it is part of an app?

If this alert exists in the app's default folder you need to remove it from the app and then deploy the app again. If you don't have access to do that then you can always disable the alert.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:58 AM

How do I "remove it from the app" ?
(this ticket was opened for this)
best

Altin

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:08 AM

Alert exists in savedsearches.conf file. You can remove the alert stanza from conf file. Below is the sample path.

1. If the search head is not in cluster then remove stanza from below path and restart splunk.
$SPLUNK_HOME/etc/apps/<app_directory>/default/savedsearches.conf 

2. If the search head is in cluster then remove stanza from below path on deployer server then apply the bundle.
$SPLUNK_HOME/etc/shcluster/apps/<app_directory>/default/savedsearches.conf

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:23 AM

Thank you very much @manjunathmeti 

best regards,

Altin

 
Tags (2)
0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 06:55 AM

Alert is part of an application. And it is owned by Admin.
I am logged as Admin - and cannot delete it

 

best

Altin

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 06:59 AM

If it is part of the application's default directory then even admin can't delete it. You need to delete it from app and deploy the application again.

0 Karma
Reply
Solved! Jump to solution

altink
Builder
‎01-20-2021 07:07 AM

Do you mean I need to delete the Alert in the config file, in the OS?
And then restart Splunk?

best regards

Altin

0 Karma
Reply
Solved! Jump to solution

TheGearx
Splunk Employee
Splunk Employee
‎03-14-2022 08:14 AM

What you must do is

 

-Download the app and delete the alert/search

-upload the Custom app and the scheduled alert/search must disappear

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...